<<< Date Index >>>     <<< Thread Index >>>

Re: squirrelmail CSRF vulnerability



On Fri, 11 May 2007, Tim Newsham wrote:

1.4.8-4 is vulnerable to a XSS vulnerability, so an attacker could use the
XSS vector to grab the session token ("CSRF token") and continue the CSRF attack.

This might just be semantics: I wouldn't consider the XSS attack to be a CSRF attack.

The point is, if the application is vulnerable to an XSS vulnerability
then having a CSRF token wont protect you from a CSRF attack. The
attacker could use the XSS vector to steal the CSRF token, much like the
Samy worm worked.

The XSS script runs in the same context that the user or any legitimate script running on behalf of the user runs. When it makes a reference, it has access to things like the CSRF token.

Exactly, thus the CSRF token wont be much help in protection you from a
CSRF attack, if the attacker can just parse out that token and use it in
CSRF attack.

--
 - Josh